Reference: default posture

Status: stable. Sourced directly from contracts/gestalt-cloud-membrane.v0.json default_posture block.

The contract publishes a per-condition default posture that informs the membrane’s behavior across all operations. This page is the canonical reference.

The map

{
  "missing_standing": "refuse",
  "missing_authority_package": "pend",
  "stale_authority_package": "refuse",
  "low_confidence_extraction": "pend",
  "cross_tenant_access": "refuse",
  "projection_promotion_without_evidence": "refuse"
}

What each entry means

missing_standing → refuse

If the actor does not have standing for the cited subject and act, the membrane refuses with standing_missing. It does not silently downgrade to a pending action.

This is the strongest default. Standing is the load-bearing question of admission, and Gestalt prefers a clear refusal to a soft pend.

missing_authority_package → pend

If a capability cited in an intent depends on an authority package that is not active, the membrane pends the call rather than refusing. The pending action carries a hint about which package needs to be imported / activated.

This default exists because package activation is operational, not substantive: the cited capability may be perfectly fine; the tenant just needs to enable the package.

stale_authority_package → refuse

If the authority package is past its freshness window, the membrane refuses with authority_package_stale. It does not pend.

A stale package is not an operational gap; it is a signal that the governance has changed and the tenant must explicitly re-anchor.

low_confidence_extraction → pend

If a connector’s evidence extraction has low confidence (for example, OCR over a noisy invoice scan), the membrane pends the follow-on intent. The pending action requests review.

This default protects against silently admitting low-confidence machine-extracted facts as governed truth.

cross_tenant_access → refuse

Any call that attempts cross-tenant access is refused with cross_tenant_access. There is no escalation path and no soft pend.

This is constitutional: the forbidden surface explicitly includes cross_tenant_graph_traversal. No flag, no role, no signing posture changes this.

projection_promotion_without_evidence → refuse

A reality.promote call that does not cite the required projection promotion approval evidence is refused with reality_promotion_authority_missing.

Projection promotion is fresh Gravity admission, not a copy. If you do not have the evidence, you do not get the promotion.

How postures translate to outcomes

Posture	Outcome	Body shape
refuse	refused	structured refusal with failed_gate and refusal_reason
pend	pending	structured pending_action with required signals

Why these defaults

The defaults reflect a single design principle:

Refuse when authority is wrong. Pend when authority is incomplete.

A missing authority package is incomplete; a stale one is wrong. A low-confidence extraction is incomplete; a cross-tenant access is wrong. Missing standing is wrong; missing presence (in many flows) is incomplete.

This principle keeps refusals legible: a refusal is always a governance signal, never an operational hiccup.

Per-operation overrides

Some operations override the default posture. Notable examples:

• effect.intent for sensitive effects refuses (not pends) when no human presence receipt is cited (effect_human_presence_required).
• economy.periodClose refuses (not pends) when any closure surface in the period is open (economic_closure_surface_open).
• humanAuth.faceMatchFallback refuses (not pends) when no consent is supplied (human_auth_face_match_consent_missing).

Each operation’s per-operation refusal codes are listed in the relevant API page.

What the posture map is not

• Not configurable per tenant. The defaults are part of the contract.
• Not loggable preferences. They are governance behaviors, not observability hints.
• Not relaxable in production. Production tightens posture, not loosens it.

Where to read next

• Refusal codes
• Outcomes
• API reference
• Concepts: the membrane